Counter-mode encryption (CTR mode) was introduced by
Diffie and Hellman already in 1979 [5] and is already standardized by, for
example, [1, Section 6.4]. It is indeed one of the best known modes that are
not standardized in [10]. We suggest that NIST, in standardizing AES modes
of operation, should include CTR-mode encryption as one possibility for the
next reasons. First, CTR mode has significant efficiency advantages over the
standard encryption modes without weakening the security. In particular its
tight security has been proven. Second, most of the perceived disadvantages
of CTR mode are not valid criticisms, but rather caused by the lack of
knowledge..